WEBVTT 1 00:00:05.320 --> 00:00:09.880 Hello everybody, and welcome to another exciting episode of JavaScript Jabber. 2 00:00:10.439 --> 00:00:14.480 Today on our panel, we've got a j O'Neil how aj. 3 00:00:15.359 --> 00:00:18.640 Yo yo yo, coming at you live from the Shed. 4 00:00:19.160 --> 00:00:22.600 The Purple Room, the Purple Room, and. 5 00:00:22.559 --> 00:00:26.719 Steve Edwards yo coming at you from a how's always 6 00:00:26.719 --> 00:00:28.480 cool and cloudy Portland this time of year? 7 00:00:29.480 --> 00:00:29.800 Wow? 8 00:00:30.000 --> 00:00:33.439 Here in tel Aviv it's well, it's effectively summer really, 9 00:00:35.439 --> 00:00:39.119 So we've got two great guests with us this week. 10 00:00:39.479 --> 00:00:43.640 We've got Ariel Schulmann and we've got Liran Tal Say 11 00:00:43.679 --> 00:00:45.799 hi to our listeners please. 12 00:00:46.640 --> 00:00:51.119 Hey, how's everybody going live from Tel Aviv? Which is 13 00:00:51.560 --> 00:00:52.840 again summer here now? 14 00:00:53.799 --> 00:00:54.399 So jealous? 15 00:00:55.280 --> 00:00:59.560 Yeah, we got like really want we got to tease 16 00:00:59.679 --> 00:01:02.200 really two really warm days last week during the kids 17 00:01:02.200 --> 00:01:04.560 spring break, and then went back to the cool and rainy, 18 00:01:04.599 --> 00:01:07.200 which it's great for skiing, didn't snow up on the mountain, 19 00:01:07.239 --> 00:01:08.959 but not so much for everybody else. 20 00:01:09.719 --> 00:01:13.799 We had two rainy days. 21 00:01:13.200 --> 00:01:18.519 Yeah, this year we hardly had any any winter really, 22 00:01:19.760 --> 00:01:22.200 it was mostly summer all year long. 23 00:01:22.480 --> 00:01:24.200 This year. I'm kind of springish. 24 00:01:24.680 --> 00:01:27.280 Just the best part of global warming. When the winter 25 00:01:27.439 --> 00:01:29.120 is warm, it's enjoy. 26 00:01:30.480 --> 00:01:35.760 Yeah, so putting the weather aside, Uh, we are here 27 00:01:35.799 --> 00:01:37.959 to talk about typescript. 28 00:01:38.079 --> 00:01:42.120 I guess in the context of oh no. 29 00:01:42.120 --> 00:01:45.280 Already we're already going to start fighting. 30 00:01:45.599 --> 00:01:46.599 Yeah, typescript. 31 00:01:46.640 --> 00:01:48.840 But I guess in the in general or in the 32 00:01:48.879 --> 00:01:55.359 context of security, maybe both, maybe both. So I think 33 00:01:55.599 --> 00:02:00.439 like everybody knows what typescript is, and from what I've 34 00:02:00.480 --> 00:02:05.719 been experiencing and seeing, everybody is more or less using typescript. 35 00:02:06.719 --> 00:02:11.360 I'm hard pressed to think about projects that don't use 36 00:02:11.400 --> 00:02:16.680 typescript unless they're really legacy projects. Any new projects seems 37 00:02:16.719 --> 00:02:21.240 to be written in typescript. Does anybody disagree with this statement? 38 00:02:21.919 --> 00:02:24.439 Absolutely secure standard. 39 00:02:25.159 --> 00:02:28.960 Please in the enterprise space, even not in. 40 00:02:28.919 --> 00:02:33.520 The enterprise base, I would say that even small projects 41 00:02:33.719 --> 00:02:36.719 tend to start with typescript now for the sake of 42 00:02:36.719 --> 00:02:38.240 the developer experience. 43 00:02:38.439 --> 00:02:41.680 Well, for the sake of AI, because you use an 44 00:02:41.719 --> 00:02:45.560 AI tool to generate your code and it generates it 45 00:02:45.599 --> 00:02:46.280 in typescript. 46 00:02:47.280 --> 00:02:51.159 I think before that, though, like you had, like even 47 00:02:51.199 --> 00:02:53.840 starter projects, like the default for like astro, if you 48 00:02:53.879 --> 00:02:57.039 wanted a blog would be like defaulting to typescript, and 49 00:02:57.280 --> 00:03:00.879 you know things like that. So you'd think a framework 50 00:03:00.960 --> 00:03:03.639 or some library and like it would default you to typescript, 51 00:03:03.639 --> 00:03:06.080 and I think it would be if you weren't doing 52 00:03:06.199 --> 00:03:09.599 typscript before, you'd like have to mess around with it 53 00:03:09.639 --> 00:03:12.240 to figure out how to like don add to typescript here, 54 00:03:14.479 --> 00:03:19.120 which maybe I know because I'm not naturally a typescript 55 00:03:19.520 --> 00:03:22.960 but yeah, I also do agree like the typescript that's 56 00:03:23.039 --> 00:03:24.800 kind of like taken over the system, and I think 57 00:03:24.800 --> 00:03:25.240 that's okay. 58 00:03:26.080 --> 00:03:27.919 Oh yeah, by the way, it just said that you 59 00:03:28.080 --> 00:03:31.879 switched audio devices for some reason, do you hear me? 60 00:03:32.520 --> 00:03:36.000 Yeah, yeah, yeah, it seems it's not coming through your 61 00:03:36.159 --> 00:03:42.879 microphone anyway. Uh. Probably the only scenario where I'm probably 62 00:03:43.000 --> 00:03:47.280 unlikely to use typescript would be if I'm doing something 63 00:03:47.360 --> 00:03:51.919 like a lead code interview. Uh, and then I you know, 64 00:03:52.560 --> 00:03:55.240 in that type of a situation, I probably just. 65 00:03:56.240 --> 00:03:59.000 Use photo, which is JavaScript essentially. 66 00:03:59.159 --> 00:04:04.840 Yeah, like you you're going for speed rather than for 67 00:04:06.039 --> 00:04:06.800 type safety. 68 00:04:07.360 --> 00:04:09.439 I mean, I can I can tell you why some 69 00:04:09.479 --> 00:04:14.439 of us maintainers hate the divescript part, which is for debugging, 70 00:04:15.039 --> 00:04:18.639 which was a long time pain for debugging like currently 71 00:04:18.680 --> 00:04:23.600 installed libraries like they're already like you know, went through 72 00:04:23.639 --> 00:04:27.439 like the build phase and they're electron spiled and it's 73 00:04:27.480 --> 00:04:31.399 it's a mess debugging it. So that was something that 74 00:04:31.519 --> 00:04:34.759 was like, I mean, it's still kind of painful, but 75 00:04:34.800 --> 00:04:37.480 as a maintainer or as a as a dev have 76 00:04:37.560 --> 00:04:41.160 to maintain within the note modules package for older you, 77 00:04:41.319 --> 00:04:44.079 you'd kind of get lost and really want to reap 78 00:04:44.959 --> 00:04:47.000 all your herd out just because of it. 79 00:04:47.160 --> 00:04:48.680 Even though now everything changes. 80 00:04:49.199 --> 00:04:49.879 Yeah, yeah, I. 81 00:04:49.879 --> 00:04:52.439 Think we're on a better trajectory now a real We're 82 00:04:52.480 --> 00:04:55.240 still not on your microphone though, I think I. 83 00:04:55.199 --> 00:04:56.439 Need to lock out and knock back, and. 84 00:04:56.639 --> 00:04:58.680 It's the JavaScript microphone. 85 00:04:59.759 --> 00:05:02.839 See see typescript bug. And I'm gonna log out and 86 00:05:02.839 --> 00:05:03.399 log back in. 87 00:05:03.759 --> 00:05:11.079 No problem, We'll be waiting for you. So yeah, I guess. 88 00:05:11.160 --> 00:05:19.240 I guess that's true in in the sense that whenever 89 00:05:19.319 --> 00:05:22.279 you like, I think we had guilta yao on the 90 00:05:22.319 --> 00:05:25.439 show like a long time ago, speaking about that very 91 00:05:25.519 --> 00:05:30.399 fact about why he actually used to prefer jas doc 92 00:05:31.639 --> 00:05:40.399 over over you know, using typescript because he wanted to 93 00:05:40.439 --> 00:05:45.120 avoid the transpilation on the note side. His argument was 94 00:05:45.160 --> 00:05:48.560 that on the browser side, you're going to have transpilation 95 00:05:48.720 --> 00:05:53.240 anyway because of the bundling, because of JSX, so you 96 00:05:53.319 --> 00:05:55.759 might as well do typescript as well. But on the 97 00:05:55.800 --> 00:05:58.639 note side, where you could have just run the code 98 00:05:58.680 --> 00:06:03.120 as you wrote it, Transpiling never adds value in that sense, 99 00:06:03.240 --> 00:06:04.759 and I totally agree with that. 100 00:06:05.040 --> 00:06:06.560 Well, I don't know if you remember the whole big 101 00:06:06.600 --> 00:06:10.279 stink that's Vell basically did that exact same thing, where 102 00:06:10.319 --> 00:06:13.079 they've had a whole big announcement about we're getting rid 103 00:06:13.120 --> 00:06:16.160 of typescript and what they started doing with jastocks, and 104 00:06:16.199 --> 00:06:17.600 we talked to Rich Harris about them. 105 00:06:18.759 --> 00:06:23.240 I think we can maybe draw the line because jstocks 106 00:06:23.319 --> 00:06:26.959 is still typescript. Okay, there's typescript as a language as 107 00:06:27.000 --> 00:06:30.839 a developer tool, and there's Typescript as the transpiler, and 108 00:06:31.120 --> 00:06:36.399 you can enjoy typescript on your ID even without transpiling, 109 00:06:36.439 --> 00:06:39.519 which is what j stocks does, you're still writing Typescript. 110 00:06:40.079 --> 00:06:43.600 They are fundamentally different languages. JavaScript has a type system. 111 00:06:43.680 --> 00:06:45.759 It has a finite set of types, and there's things 112 00:06:45.759 --> 00:06:48.800 that you can and cannot do with those types. Typescript 113 00:06:48.959 --> 00:06:52.000 as a version five has become much better at dealing 114 00:06:52.040 --> 00:06:55.120 with JavaScript types. But Typescript was designed to deal with 115 00:06:55.199 --> 00:06:57.959 C sharp types and to apply them to a browser, 116 00:06:58.399 --> 00:07:01.399 and so the pattern of code that you get with 117 00:07:01.480 --> 00:07:07.519 Typescript versus JavaScript is radically and wildly different. You cannot 118 00:07:07.800 --> 00:07:11.199 easily write simple programs and typescripts, certainly not with AI, 119 00:07:11.839 --> 00:07:15.079 but you can write simple programs in JavaScript because JavaScript 120 00:07:15.120 --> 00:07:20.439 does not require complex type hierarchies and JavaScript type system 121 00:07:20.600 --> 00:07:21.759 is not turing complete. 122 00:07:22.639 --> 00:07:25.639 But wouldn't you say that large systems have large type 123 00:07:25.680 --> 00:07:29.480 hierarchies and require applications contexts. 124 00:07:29.720 --> 00:07:33.120 Why would they? Why would you need to have large 125 00:07:33.160 --> 00:07:37.120 type hierarchies. That's the design flaw, that's not something inherent 126 00:07:37.199 --> 00:07:38.839 of the system. 127 00:07:39.160 --> 00:07:39.800 I mean, look at GO. 128 00:07:40.720 --> 00:07:45.120 I think the large type hierarchies were an attribute of 129 00:07:45.279 --> 00:07:51.959 Typescript in the early days, where indeed the language was 130 00:07:52.319 --> 00:07:56.519 kind of directing you toward building class hierarchies. All the 131 00:07:56.560 --> 00:07:59.240 examples at least were written that way. But I think 132 00:07:59.639 --> 00:08:02.680 people are not have not been writing Typescript in this 133 00:08:02.759 --> 00:08:06.759 way for a while now. Most of the typescript code 134 00:08:06.800 --> 00:08:11.560 that I'm seeing can be thought of as JavaScript with 135 00:08:11.680 --> 00:08:17.279 static types. People are not building these huge collections of classes, 136 00:08:17.879 --> 00:08:25.600 and then with implementing interfaces and building Typescript that way. 137 00:08:25.959 --> 00:08:28.759 I'm just not seeing it now. It might be because 138 00:08:28.759 --> 00:08:32.840 of React, because React went with hooks rather than with classes, 139 00:08:33.639 --> 00:08:36.960 or it might be that people just discover that they 140 00:08:37.000 --> 00:08:41.080 could use typescript in a more JavaScript sort of way. 141 00:08:41.240 --> 00:08:41.840 I don't know. 142 00:08:41.879 --> 00:08:44.759 Maybe it's a combination of both, but that's the reality 143 00:08:44.799 --> 00:08:45.600 that I'm seeing. 144 00:08:47.000 --> 00:08:49.720 I think there are also two like there are many 145 00:08:49.759 --> 00:08:52.159 ways to use typescript. Yeah, you can take it in 146 00:08:52.240 --> 00:08:57.000 the very c sharp like old schoolp way, but you 147 00:08:57.039 --> 00:09:01.279 can also use typescript as just a tract maker, just 148 00:09:01.759 --> 00:09:05.759 to define a contract that a function expects some contract 149 00:09:05.799 --> 00:09:10.000 as an input and expects to return some other type 150 00:09:10.000 --> 00:09:12.600 as an output, which is like defining contracts. And you 151 00:09:12.600 --> 00:09:15.080 can also use typescripting like in a higher level, which 152 00:09:15.120 --> 00:09:17.720 is to create an applications context. So if I have 153 00:09:17.759 --> 00:09:20.440 a function that accepts a name and an ID and 154 00:09:20.519 --> 00:09:22.720 another function that accepts an object with a name and 155 00:09:22.759 --> 00:09:25.960 an ID, I can say that both functions accept the 156 00:09:26.000 --> 00:09:29.360 type of person. And by doing this, I created a 157 00:09:29.519 --> 00:09:33.759 context between these two functions. And I think that is 158 00:09:34.000 --> 00:09:38.840 kind of what's big about typescript. And do you know, 159 00:09:39.240 --> 00:09:41.840 do you guys know how typescript like, how did it start? 160 00:09:43.200 --> 00:09:44.519 How did that start? 161 00:09:44.559 --> 00:09:47.279 It? I will let you talk about that. 162 00:09:47.399 --> 00:09:49.759 And by the way, there's a documentary about that but 163 00:09:49.840 --> 00:09:52.960 before that, I do have to mention that these days 164 00:09:53.000 --> 00:09:57.279 in Node we do have a building support for type stripping, 165 00:09:57.720 --> 00:10:01.320 which effectively just erases the type out. So that means 166 00:10:01.799 --> 00:10:07.960 that we can now use typescript files without transpilation with Node. 167 00:10:08.080 --> 00:10:11.799 We don't have to use js doc for that purpose anymore. 168 00:10:12.320 --> 00:10:17.240 It's transpiled internally like it is still transpiled. It uses 169 00:10:17.240 --> 00:10:21.039 an SWC plug in like it just transpis it internally 170 00:10:21.240 --> 00:10:23.519 inside notes. The code has. 171 00:10:23.399 --> 00:10:26.240 Transponed obviously because at the end of the day, Node 172 00:10:26.360 --> 00:10:30.480 is using v eight, which is a JavaScript engine. 173 00:10:30.519 --> 00:10:32.320 It's not a typescript engine. 174 00:10:32.320 --> 00:10:36.000 So it needs But it still means first of all, 175 00:10:36.039 --> 00:10:40.440 the transpilation is basically just erasing the types. It replaces 176 00:10:40.519 --> 00:10:47.399 the type declarations with white spaces, and the as I said, 177 00:10:47.399 --> 00:10:50.960 the interesting or the useful aspect of it is that 178 00:10:51.039 --> 00:10:54.080 you can use the same source files. You don't need 179 00:10:54.159 --> 00:10:59.399 to go through a transpilation step before loading the files 180 00:10:59.440 --> 00:11:02.279 into Node. What you used to need something like tis 181 00:11:02.240 --> 00:11:04.600 snowed for in the past. You can just do it 182 00:11:04.639 --> 00:11:07.279 with Node itself now. And obviously you can do the 183 00:11:07.320 --> 00:11:11.120 same things with bun and Dino, So it means that 184 00:11:11.639 --> 00:11:15.639 you don't need that the source maps to be able 185 00:11:15.639 --> 00:11:19.120 to single step to the files anymore. You can just 186 00:11:19.320 --> 00:11:22.639 use those files as is the same way that you 187 00:11:22.679 --> 00:11:25.759 would with let's say, Jase doc. I'm just putting that 188 00:11:25.919 --> 00:11:29.000 up out there. But now going back to your point 189 00:11:29.000 --> 00:11:32.320 about that history of typescript that you were alluding. 190 00:11:31.919 --> 00:11:37.120 To just then, because for the haters, So the reason 191 00:11:37.159 --> 00:11:40.240 why typescript was even a thing, Anders was supposed to 192 00:11:40.399 --> 00:11:44.360 be joining the vis Co team that they were developing 193 00:11:44.440 --> 00:11:48.159 viskode in JavaScript, and the moment he joined the team 194 00:11:48.200 --> 00:11:51.759 and joined the effort, the first thing he suffered from 195 00:11:52.120 --> 00:11:57.960 was it's impossible to really refractor without the context. And 196 00:11:58.000 --> 00:12:01.000 he was like, guys, we haven't much bigger problem here, 197 00:12:01.480 --> 00:12:04.919 and that's kind of how we started off building typescript 198 00:12:05.159 --> 00:12:08.240 in order to help developers develop and out of his 199 00:12:08.360 --> 00:12:14.600 own pain as as a developer. So like these days, 200 00:12:14.240 --> 00:12:17.840 it is a human tendency when when we have something 201 00:12:18.679 --> 00:12:22.159 to be when we have a pain, so to be 202 00:12:22.279 --> 00:12:24.000 focusing on the pain. But there are a lot of 203 00:12:24.039 --> 00:12:28.000 things that we do get a lot of value from typescript, 204 00:12:28.080 --> 00:12:31.559 and there are trends, it's true, but I do think 205 00:12:31.600 --> 00:12:34.799 that there is a reason why this is an industry standard. 206 00:12:35.159 --> 00:12:38.759 I think the bottom line I think is that to 207 00:12:38.799 --> 00:12:41.440 the great to a great extent from again, from what 208 00:12:41.600 --> 00:12:46.559 I'm seeing, but I'm the simple size is relatively large, 209 00:12:47.279 --> 00:12:52.440 is the typescript one. I'm seriously not seeing any significant 210 00:12:53.000 --> 00:12:56.440 new projects being started in JavaScript. 211 00:12:56.799 --> 00:12:57.200 None. 212 00:12:57.320 --> 00:13:00.000 It's not like one or two or here or there, 213 00:13:00.080 --> 00:13:03.799 truly none. Every new project that I'm seeing is starting 214 00:13:04.039 --> 00:13:05.799 being started in typescript. 215 00:13:06.320 --> 00:13:09.639 That's great, even more of a case to talk about 216 00:13:09.679 --> 00:13:11.240 the security aspects of it. 217 00:13:11.720 --> 00:13:14.679 Okay, then do we want to talk to switch talk 218 00:13:14.720 --> 00:13:17.440 about that. By the way, I didn't introduce you to 219 00:13:17.639 --> 00:13:21.200 but because I forgot, but I think you both of 220 00:13:21.240 --> 00:13:24.440 you are coming kind of from the security space, right. 221 00:13:26.080 --> 00:13:28.799 No, no, no, not from the security space. 222 00:13:29.159 --> 00:13:31.879 Okay, then correct then please correct me? What space are 223 00:13:31.919 --> 00:13:34.159 you coming from. 224 00:13:34.200 --> 00:13:38.679 I'm a full sex developer. Typescript is my bread and butter, 225 00:13:39.159 --> 00:13:41.799 so I've been talking about typescript quite a lot and 226 00:13:42.080 --> 00:13:45.600 in the past two years. And it's also very exciting 227 00:13:45.639 --> 00:13:49.240 to see the massive shift that is happening now in 228 00:13:49.320 --> 00:13:54.519 typescript because the performance of Typescript has been a pain 229 00:13:54.600 --> 00:14:00.559 point in many projects for the past two years, and 230 00:14:00.679 --> 00:14:03.639 so it's just a topic that I really like, and 231 00:14:03.799 --> 00:14:06.759 I teach and I give workshops about so that's kind 232 00:14:06.759 --> 00:14:10.559 of why Duran invited me as the TS expert here. 233 00:14:12.120 --> 00:14:14.480 Okay, cool, and now about ju Leian. 234 00:14:16.200 --> 00:14:18.919 I'm a develop product at for Snake, so basically doing 235 00:14:18.919 --> 00:14:22.639 a lot of education and security research in the node 236 00:14:22.799 --> 00:14:27.679 and the travelscript space, I guess now effectively maybe officially 237 00:14:28.080 --> 00:14:31.159 in the typescript space as well. But the Areela helped 238 00:14:31.159 --> 00:14:33.320 me kind of like I think, sharpened some of these 239 00:14:33.360 --> 00:14:38.360 ideas and really try to frame them for tiptream developerss. 240 00:14:38.720 --> 00:14:40.919 I'm not, naturally, like I said, a type ship dev 241 00:14:41.519 --> 00:14:43.840 obviously going to adopt this more and more with the 242 00:14:43.879 --> 00:14:48.559 tooling and everything else. But it's it's been fun looking 243 00:14:48.600 --> 00:14:51.159 at it coming from I think fresh eyes to look 244 00:14:51.200 --> 00:14:53.879 at these problems. And I've had some which we'll talk 245 00:14:53.919 --> 00:14:57.320 about here, I think, but I've had like my journey 246 00:14:57.360 --> 00:15:00.240 into this really started with sharing something on social well, 247 00:15:00.279 --> 00:15:02.759 and then like it got blown up as like a 248 00:15:02.799 --> 00:15:05.200 really long tread with like what's they dodge from express 249 00:15:05.240 --> 00:15:08.440 and stuff like that, and people lurking and asking questions afterwards, 250 00:15:08.679 --> 00:15:12.240 and it became clear, like very evidently clear. Also by 251 00:15:12.960 --> 00:15:16.360 doing a bunch of like social media polls that devs 252 00:15:16.480 --> 00:15:19.639 view typescript in a very specific way, yet use it 253 00:15:19.840 --> 00:15:24.120 in different ways. And the whole security part is it's 254 00:15:24.200 --> 00:15:26.879 kind of meshed in between, but not in a really 255 00:15:26.919 --> 00:15:30.000 good way. And that's kind of like I think the 256 00:15:30.039 --> 00:15:32.200 premise for a lot of this discussion here. 257 00:15:32.639 --> 00:15:34.159 So can you elaborate please. 258 00:15:35.080 --> 00:15:39.799 Yeah, So it's basically started. I obviously share like a 259 00:15:39.840 --> 00:15:42.879 lot of security related stuff and most of them is 260 00:15:42.960 --> 00:15:45.480 like snippets and kind of like say, hey, this is 261 00:15:45.519 --> 00:15:47.799 like there's a security issue here, can you spot it? 262 00:15:47.840 --> 00:15:50.759 And stuff like that. And while we're on a medium 263 00:15:50.799 --> 00:15:54.240 that's like not really easy to share a code snippet, 264 00:15:54.279 --> 00:15:57.320 I can very clearly explain it. You don't have to guess, 265 00:15:57.320 --> 00:16:01.039 so we can fucture it together. But it basically a 266 00:16:01.080 --> 00:16:05.759 function for a template engine on a node not not 267 00:16:05.840 --> 00:16:07.759 in Typescript at that time. This is like ten years 268 00:16:07.759 --> 00:16:12.600 old or so. But it's basically something that escape htmls 269 00:16:13.080 --> 00:16:17.360 HTML characters. And the function has this type guard where 270 00:16:17.360 --> 00:16:20.600 it starts with like if type of you know some 271 00:16:20.720 --> 00:16:24.159 string that I'm getting equals a string, then do something 272 00:16:24.399 --> 00:16:27.879 and replace the characters, like basically turning them into HTML entities. 273 00:16:28.240 --> 00:16:31.120 So it's effectively doing a sort of output encoding like 274 00:16:31.519 --> 00:16:36.879 your favorite you know, react a framework would do. And 275 00:16:36.919 --> 00:16:40.679 then there's like there's no else but but outside of 276 00:16:40.720 --> 00:16:43.759 the conditional. So if if it's not a string, it 277 00:16:43.960 --> 00:16:46.279 just exits it, and it's like, you know, returns the 278 00:16:46.279 --> 00:16:50.879 string itself without sanitizing it or escaping it properly. And 279 00:16:50.960 --> 00:16:53.399 so that's the that's the that's the that's the quiz. Basically, 280 00:16:53.440 --> 00:16:56.120 that's the challenge. So I was posting that picture and 281 00:16:56.399 --> 00:17:00.679 someone replied like typescript would have got this, and I 282 00:17:00.720 --> 00:17:04.480 was like immediately like I don't think so, like why 283 00:17:04.480 --> 00:17:07.279 would it have got this? And you know our social 284 00:17:07.319 --> 00:17:09.480 media and internet goes or like yes it would, and 285 00:17:09.519 --> 00:17:12.160 I was like, no, it wouldn't. And it became like 286 00:17:12.200 --> 00:17:14.880 a long tread on blue sky, and you know, Wesley 287 00:17:14.880 --> 00:17:17.880 thought was started. We discussed that, and I think that's 288 00:17:17.920 --> 00:17:19.480 kind of like the promise, Like that's how it got me, 289 00:17:19.559 --> 00:17:21.759 like why would it? And I was like actually testing, 290 00:17:21.839 --> 00:17:24.400 like let's let's say, let's let's get a nice vulnerable 291 00:17:24.400 --> 00:17:26.799 project up and running, run divecrip on it and see 292 00:17:26.839 --> 00:17:27.680 if it works. 293 00:17:28.200 --> 00:17:29.920 And the real. 294 00:17:29.799 --> 00:17:32.440 Premise for like what's going on under is, which I 295 00:17:32.480 --> 00:17:36.519 think it's it's an interesting think talking through the security 296 00:17:36.720 --> 00:17:40.559 kind of like landscape or surface of developers using divescripts 297 00:17:40.720 --> 00:17:43.720 and the actual real world vulnerabilities that come from it. 298 00:17:44.119 --> 00:17:47.319 Also ZOD related to it as as a building block 299 00:17:48.000 --> 00:17:52.000 is interesting. But my I think, I think what kind 300 00:17:52.000 --> 00:17:54.559 of like hits it on the nail. And that's something 301 00:17:54.559 --> 00:17:58.759 that's been very i think, very resonating with both me 302 00:17:58.839 --> 00:18:03.799 and Wesley, was that if it seems that developers kind 303 00:18:03.799 --> 00:18:07.960 of like you know, feel about typescript and put misplaced 304 00:18:08.000 --> 00:18:10.880 trust on typescript in the same way that they put 305 00:18:10.960 --> 00:18:14.839 misplaced trust on code coverage, meaning they think of it 306 00:18:14.880 --> 00:18:17.480 more than it should they should, and they think of 307 00:18:17.519 --> 00:18:21.039 it as a security tool. And I think that by 308 00:18:21.079 --> 00:18:25.480 itself is while touchscript is, you know, like any strongly 309 00:18:25.519 --> 00:18:29.559 type language is helpful, it's not a security tool by itself, 310 00:18:29.599 --> 00:18:32.359 and that creates a fallicy and that is something that 311 00:18:32.400 --> 00:18:35.200 I would like to to change and maybe should do 312 00:18:35.319 --> 00:18:38.240 this conversation on this, you know, on this session, I 313 00:18:38.279 --> 00:18:41.119 can give you several examples of why that happens and 314 00:18:41.599 --> 00:18:43.279 how that fails developers. 315 00:18:43.480 --> 00:18:46.920 The fact that you said that people put trust in 316 00:18:47.160 --> 00:18:50.319 code coverage in the context of security reminds me of 317 00:18:50.359 --> 00:18:55.559 that old joke about QA and engineer working for a 318 00:18:55.640 --> 00:19:01.119 bar and ordering one beer, ordering zero beers, ordering million beers, 319 00:19:01.359 --> 00:19:07.599 ordering a hammer, ordering a ray, ordering yeah. And then 320 00:19:08.039 --> 00:19:11.000 and then the first customer walking in asking where the 321 00:19:11.039 --> 00:19:14.799 toilet is, the bar blows up and kills everybody inside. 322 00:19:16.039 --> 00:19:17.599 And the one yeah. 323 00:19:17.680 --> 00:19:21.079 So so that that grows to show like. 324 00:19:22.160 --> 00:19:24.559 The value of unit testing. 325 00:19:24.640 --> 00:19:28.960 Let's say, in the context of app of application security. 326 00:19:29.559 --> 00:19:32.000 I mean, I guess it's it's better than nothing, but 327 00:19:32.000 --> 00:19:32.960 but not by much. 328 00:19:35.559 --> 00:19:39.720 There are a lot of controversial posts about I wouldn't 329 00:19:39.759 --> 00:19:43.119 mention the name, but how teams replaced a lot of 330 00:19:43.200 --> 00:19:45.400 unit tests because they have typescript. 331 00:19:45.440 --> 00:19:46.640 Now, m. 332 00:19:48.440 --> 00:19:49.880 On that. 333 00:19:50.319 --> 00:19:52.759 If the unit test is there, why replace it? 334 00:19:53.480 --> 00:19:58.200 I mean time, I'll give you no better. Let me 335 00:19:58.279 --> 00:20:02.640 like you build another one on our else. Take. Now 336 00:20:03.000 --> 00:20:05.279 we said like if you have a typescript, then you 337 00:20:05.279 --> 00:20:09.680 maybe don't need tests. Well how about this. I have 338 00:20:09.759 --> 00:20:13.200 a take where someone said we don't need zoo if 339 00:20:13.240 --> 00:20:17.359 we have typescript and stuff like that. That's that's you 340 00:20:17.400 --> 00:20:20.799 know that, that is where this is happening. And this 341 00:20:21.039 --> 00:20:24.079 isn't like a random person, you know, getting pulled out 342 00:20:24.079 --> 00:20:28.440 of like ten thousand. There's a lot of confusion. Let me, 343 00:20:28.559 --> 00:20:31.960 let me pull up something. Wait, let me So I've 344 00:20:32.079 --> 00:20:34.799 pulled and I was was asking, when do you work 345 00:20:34.839 --> 00:20:38.160 on typescript code base? What is your level of ecosystem depth? 346 00:20:38.559 --> 00:20:42.000 And I gave three options. One is just typescript and TSC. 347 00:20:42.200 --> 00:20:43.960 The way that, for example, maybe I would use it 348 00:20:44.000 --> 00:20:47.480 as like a beginner you mean for type checking the man, yes, 349 00:20:47.720 --> 00:20:49.680 just type checking. You just you know me as a 350 00:20:49.680 --> 00:20:52.839 bit like I said, I'm beginner developer with typescript easy 351 00:20:52.920 --> 00:20:55.839 you know, you know, adapter for it. And the way 352 00:20:55.839 --> 00:20:58.119 that I would just like, you know, type my of course, 353 00:20:58.200 --> 00:21:01.160 have like a typing system type my data parameters and 354 00:21:01.240 --> 00:21:04.759 run a typescript checker compiler for it. So this is 355 00:21:04.759 --> 00:21:08.839 option one, and like fifty four percent of developers chose 356 00:21:08.880 --> 00:21:12.400 that one. The other two options was typescript and type 357 00:21:12.480 --> 00:21:16.079 narrowing also known as type cards, And the third option 358 00:21:16.240 --> 00:21:20.720 was typescript and narrowing and ZOD. And obviously, I think, 359 00:21:20.799 --> 00:21:23.960 like among the other experts here on typescripts like maybe 360 00:21:24.160 --> 00:21:27.519 more that you could pull into the ecosystem. But I've 361 00:21:27.519 --> 00:21:30.440 read this pollic quite a few times and it's always 362 00:21:30.440 --> 00:21:32.640 the same answer, like at least half of the people, 363 00:21:32.680 --> 00:21:36.519 if not more, really just us typescript as the compiler 364 00:21:36.599 --> 00:21:38.079 and the checker, nothing beyond it. 365 00:21:38.640 --> 00:21:41.480 Look putting ZOD for a site for a minute, and 366 00:21:42.400 --> 00:21:45.039 I think that would actually be the crux of our discussion. 367 00:21:45.160 --> 00:21:49.559 But before we dive there, type narrowing to me is 368 00:21:50.359 --> 00:21:53.920 part and parcel of typescript. I don't see the exact 369 00:21:54.000 --> 00:21:56.720 difference between number one and option number one and option 370 00:21:56.799 --> 00:22:00.319 number two, like you said, just typescript versus types of 371 00:22:00.480 --> 00:22:04.319 the type narrowing. How is type narrowing not just part 372 00:22:04.319 --> 00:22:04.960 of typescript? 373 00:22:05.079 --> 00:22:08.759 It means if you do runtime checks about the times, Yeah. 374 00:22:08.599 --> 00:22:11.799 I understand, I understand what oh you mean, like specifically 375 00:22:11.880 --> 00:22:17.160 doing lots of tests using type of exactly constructor equals 376 00:22:17.200 --> 00:22:21.640 and stuff like that exactly and which. 377 00:22:20.160 --> 00:22:22.839 Is not dipescript, you will even if you just do 378 00:22:22.920 --> 00:22:25.160 pure JavaScript. But I think that's you see, But that's 379 00:22:25.279 --> 00:22:28.920 that's the exact fallacy. Like developers don't they think they 380 00:22:28.960 --> 00:22:31.920 don't need to do this runtime security of type of 381 00:22:32.480 --> 00:22:34.920 even before we go to that, like you said, because 382 00:22:34.920 --> 00:22:37.440 they use a type system, because the compiler is fine. 383 00:22:37.559 --> 00:22:40.839 And someone gave me a screenshot where they show me that, uh, 384 00:22:41.160 --> 00:22:44.160 the request imagine like let's talk let's talk back end 385 00:22:44.200 --> 00:22:46.319 and servers and express and typescript, okay, because that's like 386 00:22:46.359 --> 00:22:49.880 the easiest uh you know attack surface here. So if 387 00:22:49.880 --> 00:22:52.079 you use that, you have a type request, right, and 388 00:22:52.160 --> 00:22:55.480 the request may get like requests or filter strings and 389 00:22:55.480 --> 00:22:57.799 stuff like that, like maybe a filter and maybe that 390 00:22:58.279 --> 00:23:00.039 is typed as a string or something like that, and 391 00:23:00.079 --> 00:23:02.920 then all the types that kind of like you know 392 00:23:03.240 --> 00:23:05.400 that string is is flowing through the code flow to 393 00:23:05.440 --> 00:23:08.000 the code path in different functions. And they show me 394 00:23:08.119 --> 00:23:10.200 and they say, hey, you know what, I can't even 395 00:23:10.319 --> 00:23:14.039 write a vulnerable function because it only accepts types and 396 00:23:14.079 --> 00:23:16.799 typescript safety because of the compiler, and I would find 397 00:23:16.839 --> 00:23:19.319 it on CI and I was like, no, it's won't 398 00:23:19.440 --> 00:23:22.799 because like runtime is not dev time. You can't make 399 00:23:22.839 --> 00:23:23.519 that assumption. 400 00:23:24.359 --> 00:23:26.640 Even dev time is not dev time. 401 00:23:26.680 --> 00:23:29.839